Skip to content

[ASIM] Make changes to Authentication ASIM OktaSSO and OktaV2 parser #13401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
yummyblabla merged 9 commits into from
Jan 12, 2026
Merged

[ASIM] Make changes to Authentication ASIM OktaSSO and OktaV2 parser #13401

yummyblabla merged 9 commits into from
Jan 12, 2026

Conversation

@yummyblabla
Copy link
Collaborator

@yummyblabla yummyblabla commented Jan 7, 2026
edited
Loading

Changes to Authentication OktaSSO parser:

  • Addition: EventResultDetails, SrcDeviceType
  • Remaps: EventSubType --> EventOriginalSubtype, TargetUserType
  • Extensions: ActorUserId, ActorUsername, etc. are extended from its Target counterparts.

EventSubType --> EventOriginalSubtype Change Rationale:

  • Subtype did not fit EventSubtype enumerations

TargetUserType mapping addition Rationale:

  • UserType did not fix UserType enumerations.

@yummyblabla yummyblabla requested review from a team as code owners January 7, 2026 21:10
oshezaf
oshezaf requested changes Jan 7, 2026
View reviewed changes
Copy link
Contributor

@oshezaf oshezaf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The column_if_exists statements are very expensive as they imply calculated columns later on. There is a reason to why they are used (needed only for V1 tables. I can explain more). It certainly makes prefiltering ineffective. The way around it is to use a union and s datatable:

let empty = datatable (uni_s:string) [];
(Syslog | union empty)
| where uni_s == ""

@yummyblabla yummyblabla changed the title [ASIM] Make changes to Authentication ASIM OktaSSO parser [ASIM] Make changes to Authentication ASIM OktaSSO and OktaV2 parser Jan 8, 2026
oshezaf
oshezaf requested changes Jan 8, 2026
View reviewed changes
Copy link
Contributor

@oshezaf oshezaf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! looks good. Two small comments.

@yummyblabla yummyblabla merged commit 984b789 into master Jan 12, 2026
28 of 29 checks passed
@yummyblabla yummyblabla deleted the derricklee/update-okta-sso-asim-parser branch January 12, 2026 17:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oshezaf oshezaf oshezaf approved these changes

Assignees

@oshezaf oshezaf

Labels

ASIM

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@yummyblabla @oshezaf @v-atulyadav